1. Introduction

Hive of Hands Ltd ("Hive of Hands," "we," "our," or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access our website, mobile applications, and services (the "Platform"). It is provided in compliance with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using the Platform, you accept the practices described in this Privacy Policy. If you do not agree with our policies and practices, you must not use the Platform.

2. Scope of Policy

This Privacy Policy applies to personal information collected:

On our websites (hiveofhands.com)
Via our mobile and desktop applications
Through communications (email, SMS, or phone)
Through third-party sites and services that link to this Policy

3. Information We Collect

We may collect and process the following categories of personal data:

Personal Data You Provide

Identity Data: Full name, date of birth, gender, profile photo
Contact Data: Email address, phone number, home address
Work Eligibility Data: Right-to-work documentation, National Insurance number, certifications
Employment Data: Work history, skills, availability, preferences
Payment Data: Bank details (processed securely via third-party providers)
Communication Data: Messages exchanged within the Platform

Automatically Collected Data

Technical Data: IP address, device type, operating system, browser type
Usage Data: Pages visited, session duration, platform interactions

Data from Third Parties

Background check providers
Payment processors
Employers providing feedback

4. How We Use Your Information

We use your personal data to:

Provide, operate, and maintain our services
Facilitate shift placements and manage shift schedules
Verify your identity and work eligibility
Communicate with you, including essential service communications
Improve and personalize our Platform
Ensure security, fraud prevention, and regulatory compliance
Process transactions securely

We collect and process your personal data only for the specific purposes outlined in this Privacy Policy and ensure that the data is adequate, relevant, and limited to what is necessary for those purposes. We do not use your data for purposes incompatible with those stated without your consent or another lawful basis.

We rely on the following lawful bases for processing:

Contractual necessity
Legal obligation
Legitimate interests (e.g., improving services)
Consent (where required for marketing communications)

5. Sharing Your Information

We only share your personal data when necessary and under secure conditions:

With Recruiters: Profile and work history details
With Service Providers: Payment processors, cloud storage, IT support, and communication service providers (e.g., for delivering emails or notifications), who process data under strict confidentiality agreements
With Legal Authorities: Where legally required
With Third Parties: Only with your explicit consent

When you interact with third-party websites, services, or platforms linked from our Platform (e.g., Recruiter systems or payment processor portals), their own privacy policies and practices apply. We are not responsible for the privacy practices or content of these third parties and encourage you to review their policies before providing personal data.

Hive of Hands does not sell or rent your personal data to any third parties.

6. Data Security

We implement appropriate technical and organizational measures to secure your data, including:

Encryption during transmission and storage
Access controls and authentication protocols
Regular audits and vulnerability assessments

Hive of Hands is committed to protecting your personal data. We implement appropriate technical and organisational measures to safeguard your information against unauthorised access, alteration, disclosure, or destruction.

To provide our services efficiently, we utilize reputable third-party cloud hosting and backup providers. These providers store and process data on our behalf and are contractually obligated to adhere to stringent data protection and security standards. While we take all reasonable steps to ensure the security of your data, we rely on these third parties' security measures and data protection policies.

By using our platform, you acknowledge and agree that your personal data may be stored and processed by these third-party service providers. We ensure that any such third parties are compliant with applicable data protection laws, including the UK GDPR.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay, typically within 72 hours of becoming aware of the breach, via email or other contact methods provided in your account. The notification will include details of the breach, its likely consequences, and the measures we are taking to address it. We will also notify the Information Commissioner’s Office (ICO) as required by law.

Despite these efforts, no system can be 100% secure. Users are advised to keep passwords confidential and follow cybersecurity best practices.

Antivirus Services to Protect Your Data

In order for our chosen antivirus provider to effectively protect our systems and your data, it may process certain technical and system-related information. This processing is essential for the security of our services and your data.

The types of information that may be processed include:

System Information: Details about the devices connected to our network, such as operating system version, installed software, hardware specifications, and unique device identifiers. This helps the antivirus identify vulnerabilities and ensure compatibility.
File and Process Information: Information about files accessed, executed, or stored on our systems, including file names, paths, hashes (digital fingerprints), and their characteristics. This is vital for detecting and analysing malicious files.
Network Activity Data: Information related to network connections, such as IP addresses (both internal and external), URLs visited (by our systems), and communication patterns. This helps identify suspicious network activity and potential command-and-control communications.
Threat Intelligence Data: When a potential threat is detected, anonymous or pseudonymised data about the threat (e.g., file hashes, behavioural patterns) may be shared with the antivirus provider's global threat intelligence networks. This contributes to the collective defence against emerging cyber threats for all users globally, enhancing the effectiveness of the service.
Usage and Performance Data: Data relating to the performance and operation of the antivirus software itself, such as error reports, resource consumption, and feature usage statistics. This helps the provider improve its service.

Our primary focus is on protecting our systems and the data processed on them. While the antivirus may process data that could indirectly relate to individuals (e.g., file names created by a user, or an IP address temporarily assigned to a user's device), it is primarily used for security purposes only and not for profiling or tracking individual user behaviour beyond what is necessary to maintain security. Where possible, data is processed in an anonymised or pseudonymised form.

Our Lawful Basis for Using Third-Party Antivirus Services (UK GDPR):

Under the UK GDPR, our lawful basis for processing the above information through our third-party antivirus provider is typically:

Legitimate Interests: It is in our legitimate interest (and also in your legitimate interest as our user) to maintain a secure and resilient IT environment to protect against cyber threats, data breaches, and service disruptions. This processing is necessary for these legitimate interests and we have balanced this against your rights and freedoms.
Compliance with Legal Obligations: In some cases, we may have legal obligations to implement appropriate security measures to protect personal data.

How We Ensure Data Protection with Our Third-Party Provider

We carefully select our third-party antivirus provider and ensure they meet high standards of data protection and security. We have entered into appropriate data processing agreements (DPAs) with them, which legally bind them to:

Process personal data only on our documented instructions.
Implement appropriate technical and organisational measures to ensure the security of the data.
Assist us in complying with our UK GDPR obligations.
Notify us of any data breaches.
Not sub-contract their processing without our prior authorisation.

Data Transfers Outside the UK/EEA:

It is possible that our third-party antivirus provider, or their sub-processors, may process some of the aforementioned data outside the UK or the European Economic Area (EEA). Where this occurs, we ensure that appropriate safeguards are in place as required by UK data protection law. These safeguards may include:

Standard Contractual Clauses (SCCs): The use of UK-approved Standard Contractual Clauses (or the ICO's International Data Transfer Agreement/Addendum).
Adequacy Decisions: Transfers to countries deemed to provide an adequate level of data protection by the UK government.
Binding Corporate Rules (BCRs): If the provider is part of a multinational group with approved BCRs.

7. International Data Transfers

Your data is primarily processed and stored within the United Kingdom. If data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs)
Adequacy decisions for approved countries

8. Data Retention

We retain your personal data only for as long as necessary:

Active user accounts: As long as the account is active
Deactivated accounts: Up to 6 years for legal compliance
Financial transaction records: 7 years (tax purposes)
Shift application history: Up to 12 months of inactivity unless otherwise requested
Notification preferences, such as shift vacancy alert settings, are retained for as long as your account is active and up to 12 months after account deactivation, unless you request deletion

9. Your Rights Under UK GDPR

You have the following rights:

Access: Request a copy of your personal data
Rectification: Request corrections to inaccurate data
Erasure: Request deletion where applicable
Restriction: Request limited processing
Portability: Request transfer of your data
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw marketing consent at any time

You have the right to know the source of any personal data we collect about you from third parties (e.g., background check providers or employers providing feedback), as part of your right to access.

To exercise any of these rights, contact us via the Contact Us page at Hivefhands.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk.

10. Children Under 18

The Platform is intended only for individuals aged 18 and over. We do not knowingly collect personal data from individuals under 18 years old. If you believe we have collected data from a minor, please contact us immediately.

11. Cookies and Tracking Technologies

Our Use of Essential Website Cookies

Our web application uses cookies and similar technologies (such as local storage) that are strictly essential for its core functionality and to provide you with the services you request. These cookies are fundamental to the operation of our application and cannot be switched off in our systems.

These essential cookies are used for purposes that include:

Authentication and Session Management: To manage your login sessions and keep you securely logged into your account as you navigate through our application. Without these cookies, you would be unable to access protected areas of our service and would be logged out repeatedly.
Security Features: To support and enable security features, such as detecting and preventing fraudulent activity or unauthorised access to your account.
Load Balancing: To distribute network traffic efficiently across our servers, ensuring the continuous availability and optimal performance of our application.
Compliance: To remember your cookie preferences and ensure we comply with legal obligations regarding your data privacy.

Why We Don't Ask for Your Consent for These Cookies:

Under UK data protection law (including the UK GDPR and the Privacy and Electronic Communications Regulations - PECR), we are permitted to use these cookies without your explicit consent because they are strictly necessary for the provision of an information society service explicitly requested by you. These cookies are not used for analytics, advertising, or any other non-essential purpose.

Managing Essential Cookies:

While these cookies are necessary for the application to function, you can generally configure your web browser to block or alert you about them. However, please be aware that if you choose to block these cookies, certain parts of our application may not work correctly or be accessible to you. You can find information on how to manage cookies in your browser's help section.

12. Profile Information Visibility

When you create a Candidate profile, portions of your information may be made available to Recruiters using our Platform. We encourage Candidates to avoid including sensitive personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health information). Profiles may be visible to Hive of Hands clients and may be stored in the client’s own systems where applications are made through co-branded pages.

13. Aggregated and Anonymized Data

Hive of Hands may collect and share aggregated, anonymized data (e.g., average shift rates, employment trends) that cannot reasonably be linked to individual users.

14. Essential Communications

By creating an account, you agree to receive:

Essential service communications (e.g., registration, account changes, shift alerts)
Regulatory communications

You can manage preferences for shift vacancy alerts through the email alerts settings page accessible via your account on the Platform. You may opt out of marketing communications, but not essential service communications, by following the instructions provided in such communications or contacting us via the Contact Us page at Hivefhands.com.

15. Changes to this Privacy Policy

We may update this Privacy Policy periodically. When we do, we will revise the "Effective Date" and post the updated version. Continued use of the Platform after changes constitutes acceptance.

16. Contact Us

For privacy-related inquiries or to exercise your GDPR rights, you may contact our Data Protection Officer (if appointed) or our designated privacy team via the Contact Us page at Hivefhands.com. If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us via the Contact Us page at Hivefhands.com.

17. Automated Decision-Making

The Platform may use automated processes to facilitate Shift Engagements, such as matching Candidates to shift vacancies based on skills, availability, or reliability ratings. These processes are designed to enhance efficiency and do not produce legal or similarly significant effects without human oversight. You have the right to request human intervention, express your point of view, or contest decisions made through automated processes by contacting us via the Contact Us page at Hivefhands.com. For more details on how your data is used in these processes, see our Contact Us page.